SNMP is one of the often overlooked services when pentesting networks. We generally focus on well-known services such as web or database servers. However, there is plenty of additional information available if we start considering SNMP when auditing networks.
SNMP stands for Simple Network Management Protocol. It is generally used by network monitoring applications to read and write network state variables (state of the interface, no. of sent packets etc.). Types of managed devices include servers, workstations and network devices.
SNMP services run by default on the 161 UDP port. And as Shodan shows, there is quite a bunch of SNMP devices available publicly on the Internet.
If we add SNMP pentesting to our pentest, we can gather important information about the network, such as topology, system users…
SNMP pentesting tools
SNMP communications are generally protected by using an authentication string called community string. There are two types of community strings, a read-only community string that gives us access to the general variables of the network and a read-write one, that also allows us to set specific variables.
Therefore, knowing these community strings is vital to get access to the network information and it is the first step performed on SNMP pentesting once the devices have been identified. The default values of these strings are public and private, and you’d be surprised how many times remain unchanged. However, there are tools that aim to brute-force them to access the relevant information managed, in case it has been changed. There are many tools that carry this and retrieval tasks, some of them based on the popular Nmap and Metasploit frameworks.
We talked about Nmap in our previous post about port scanning in industrial networks. This popular tool has has a full built-in SNMP library that many NSE scripts directed to SNMP pentesting, for example, guessing community strings or extract information from different sources (especially from Windows systems):
|snmp-brute||Attempts to find an SNMP community string by brute force guessing|
|snmp-hh3c-logins||Attempts to enumerate Huawei / HP/H3C Locally Defined Users|
|snmp-info||Extracts basic information from an SNMPv3 GET request|
|snmp-interfaces||Attempts to enumerate network interfaces through SNMP|
|snmp-ios-config||Attempts to download Cisco router IOS configuration files|
|snmp-netstat||Attempts to query SNMP for a netstat like output|
|snmp-processes||Attempts to enumerate running processes through SNMP|
|snmp-sysdescr||Attempts to extract system information from an SNMP version 1 service|
|snmp-win32-services||Attempts to enumerate Windows services through SNMP|
|snmp-win32-shares||Attempts to enumerate Windows Shares through SNMP.|
|snmp-win32-software||Attempts to enumerate installed software through SNMP.|
|snmp-win32-users||Attempts to enumerate Windows user accounts through SNMP|
The Metasploit Framework is another popular tool, designed to exploit different, usually remote machines. In this case, it also features a number of tools directed to ease SNMP pentesting.
Cisc0wn is a brute-force cracker, built on top of Metasploit (but not integrated in it), that aims to get community strings, similar to snmp-brute.
As Nmap, Metasploit has some auxiliary modules that aid us to easily extract information from SNMP enabled devices:
|snmp_enum||Performs detailed enumeration of a host or range of hosts via SNMP|
|snmp_enumshares||Queries a range of hosts via SNMP to determine any available shares.|
|snmp_enumusers||Queries a range of hosts via SNMP and gathers a list of usernames on the remote system|
|snmp_login||scans a range of IP addresses to determine the community string for SNMP-enabled devices|
As we can see, there is quite a wide range of tools that enable brute-forcing SNMP credentials and gather network information rather easily. Therefore, it is necessary to secure SNMP communications by disabling it on devices that do not need it, or if it is necessary to use SNMP, use strong passphrases. Moreover, it is better to use version 3 of SNMP, as it is more secure than the previous ones, featuring traffic authentication and encryption.
Finally, I leave you a video where the usage of some of the SNMP pentesting tools above mentioned is shown, in an almost real environment: